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REMARKS 

Claims 1-9 and 11 are pending in the application. Claims 9 and 1 1 have been amended. 
Claim 10 has been canceled. Applicant respectfully requests reconsideration and reexamination 
of the pending claims. 

Claims 1-8 are rejected under 35 U.S.C. § 102(e) as being anticipated by U.S. Patent 
Application Publication No. 2003/0065942 to Lineman et al. ("Lineman"). Claims 9 and 10 are 
rejected under 35 LI.S.C. § 103(a) as being unpatentable over Lineman in view of Townsend. 
Applicant overcomes the rejections as follows. 

The Examiner's rejection appears to hinge on equating the term "information security 
object (ISO)" with a "policy document" as disclosed in Lineman. However, ISO's are small 
elements that in larger numbers together may form parts of policy documents. The same objects 
are or can be used and re-used in surveys and in multiple other contexts, for example audits and 
ri-'s as-cs^ir^" » K c i .1. c h elimir1ate^ ihe need for making users maintain similar or 

atiocicilcd co.ixi:. ic r.iultiplc j. --v.„, and also cl.::...iates or minimizes the risk of wrong 
associations or references, for example between parts of policies, quiz questions, answers, audit 
lists, risk assessments. 

Specifically, Claim 1 sets forth, inter alia, "a policy module... for the conversion of said 
piece of security information into an information security object (ISO)..., and a survey 
module... for generating from said ISO an element of a questionnaire." Claim 1 sets forth using 
ISOs in a policy module and generating questionnaires from ISOs. Questionnaires that are 
generated from ISOs provide an automation of the quiz generation process. In an automated 
process, users do not need to draft and edit similar content twice, since it is the same content 
(data) that constitutes the policies and the quizzes. 

Lineman discloses in paragraph [0032] and FIGS. 4 A and 4B, how an administrative user 
can input policy content, however Linemaii ' . how si"*^-e>-s are automat'cally 

generated by the system. In contra.s^ Lineman ai FK S. \. "El ana T iliusiiates that gtueraiing 
quizzes is a manual process thai an aamiaistrati\e user has to carry out. The Lineman system 
"allows the administrator to design questions" (Lineman, para. [0032]), meaning the quizzes are 
manually created, not automatically ''generating from said ISO an element of a questionnaire" as 
set forth in Claim 1 . 
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Lineman does not teach or suggest the uiveniion n^i f-rth in Ck"i-i I mik I ii li 'kJ 
in FIGS. 4B and 5A, the described content canno; b>. ^icd for quizzin,. 1 acre is no ~/lo<!irc 
which teaches a means for an administrative user to provide right and wrong answers and there 
are certainly no means described for the policy management program to automatically determine 
any right and wrong answers. Lineman does not describe nor use any policy entities (smaller or 
larger entities) where right and wrong questions can be specified. The present invention is 
different, in that the policies and the quizzes are created from the same small information 
security objects. Quizzes and policies are not ''associated". They are both built with the same 
objects. If an administrative user selects a number of objects, the quiz may be automatically 
prepared, or, building a quiz with objects also builds a policy. 

Ill contrast. Lineman discloses that the quizzes are associated with the security policy 
document, and Lineman states that the policy document or a part of the policy document and the 
quiz are not the same. (Lineman, para. [0036]) In Lineman different elements need to be 
associated. The fact that quizzes in Lineman are not identical to policy documents or to parts of 
policy documents is disclosed in [0041], where Lineman describes that drafting and editing 
policies is another [user] activity than drafting and editing quizzes. FIG. 7C of Lineman shows 
that quizzes are entered manually and so are policies. In addition. Lineman at paragraph [0047] 
describes that "other fields" include examples of quiz questions. 

Accordingly, since Lineman does not teach or suggest all of the limitations of Claim 1 or 
Claim 7 (which sets forth features similar to Claim 1), Applicant respectfully submits that 
independent Claims 1 and 7 are allowable over Lineman. Dependent Claims 2-6, which include 

the features of independent Claim 1, and dependent Claim 8, which includes the features of 
indepen.dent Claim 7, recite additional features of particular advantage and utility. Moreover, 
these claims are allowable for substantially the same reasons presented above 

Regarding Claim 2, Lineman teaches that only quizzes based on data a quiz administrator 
has entered manually may be scored. As set forth in Claim 2, quizzes based on one or more 
information security objects that include right / wrong answer options automatically being 

determined may be scored. Ti'. -v'ention 'v ■ - 'irdensome to use, because it involves 

less steps and does not have the oisju , .a,iagc of possibi> misleading quiz questions. 
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What is referred to as "Education" in Lineman is simply the quizzes (see oaracraph 
[0065] and Fig. 7A). Educational Module in the present invention includes multimedia, e.g. 
sound, speak, voices, animations, moving pictores, video recordings and recorded computer 
screen shots, which may provide information security learning to computer users throughout the 
organization. 

Claim 9 sets forth, inter aUa. "said ISO including modular content derived from said 
security information and having a unique identifier and security level value, said unique 
identifier used to lir^Jc said ISO to an organizaraon and said security level value used to create a 
security policy including the ISO which matches a default security level value of the 
organisation." Claim 9 also sets forth, "a survey module communicating with said memoty 
means and said output means for generating from said ISO an element of a questionnaire " 
Neither Lineman nor Townsend, nor their combination, teaches or suggests an ISO including 
these features. 

The invention set for ' -i o nm- • 

- '^Prov: 't.v awareness m an organization, and 

uses ISOs to ici- 0 r. u : the generated policies are built with ISO's this kind of 

policy document offers a much higher use value and automation options than policy documents 
built without ISOs. Lineman and Townsend do not disclose a system that provides awareness, 
quizzes, or education in an automated way. With Townsend and Lineman, administrators or 
users would need to manually create educational programs, quizzes, answers, and/or in addition 
to manually creating policies. 

Neither Townsend nor Lineman produce automated awareness quizzes, nor do they 
provide security education as s., lo^h in the present invention, nor do they utilize or describe 
any elements that can provide iW. i - . ^ -vious be \ • ■ , ■ ynC ,,,, , 

Accordingly, Applicant re.p.,tfn|:v .ubmi-- ■ . ...cpendem Uan., 9 ts allowable over 

Lineman in view of Tow?!'-. : ' n p-,,,-,.-- .rx j j 

. V nsend does not teach or suggest all of 
the limitation- ^- CLiin •■ .xn.^., . • ,r n 

■ ■ ..Appiic. ^Pt-'cttlilly requests that the Examiner 

withdraw the rejection. 

Claim 11 was rejected under 35 U.S.C. §102(e) as anticipated by Townsend. Claim 11 
sets forth, inter alia, "modularising the security information to create an information security 
object (ISO); assigning ^ security level value to said ISO; compiling said information security 



7 



Application Serial No.: 10/501,302 

Amendment in Response to Office Action dated April 2, 2008 
Amendment Date: October 1, 2008 

object into a security policy including other ISOs ho, ;k , i,-.., value; and 

generating in a survey module an element of a qucsP rr,a rc iVorn sa, As discu'-sed above 

with regard to Claims 1 and 9. ^ . i ncitiier u.u^ - .^ nor suggests these features. 

Specifically, Townsend discloses an "Adaptive countermeasure selection method and 
apparatus," in contrast to an "Information security awareness system" of the present invention. 
Information security policy asvarei.ess is iv ■ ^ ■ ; nation sec. experts considered an 
appropriate countermeasure. Town.etid uses -po.. . ■ -.areness" as a countermeasure example in 
Townsend (see paragraphs [0021, 10033] and [0115 1]), ffcnvever. Tomisend does not teach or 
suggest a policy manager noi ^- -,o> manager i.i:- a..s anjihing ...e information security 
objects as set forth in Claim 11. nor does Townsend describe any elements or entities similar to 
Information Security Objects. Townsend uses questionnaires for detennining strength level of 
countermeasures, i.e. for risk assessments purposes, and it is certainly not obvious to use the 
same questionnaires for policy awareness purposes. Accordingly, Applicant respectfully submits 
that Claim 1 1 is allowable over Townsend. 
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CONCLUSION 

For the reasons presented above, Applicant respectfully submits that this application, as 
amended, is in condition for allowance. If there is any further hindrance to allowance of the 
pending claims. Applicant respectfully invites the Examiner to contact the undersigned. 

Please charge any additional fees, including any fees for additional extension of time, or 
credit overpayment to Deposit Account No. 11-1159. 



kc pectfully sub;v, .:J., 



Date: October 1.2008 





1 heodore P Lopez >- 



Klein. O'Neill & 4nf^. LLP 
43 Corporate Par k Diive, Suite 204 
Irvine. California ^>Jt)06 
Tel: (949) 955-1920 
Fax: (949) 955 1921 
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